GHSA-GFWX-W7GR-FVH7 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in nltk

Summary nltk.app.wordnetapp contains a reflected cross-site scripting issue in the lookup... route. A crafted lookup URL can inject arbitrary HTML/JavaScript into the response page because attacker-controlled word data is reflected into HTML without escaping. This impacts users running the local...

CVE-2026-31938

A flaw was found in jsPDF, a JavaScript library for generating PDFs. A remote attacker can exploit this vulnerability by providing malicious input to the options argument of the output function. When a victim creates and opens a PDF using this unsanitized input, arbitrary HTML, including scripts,...

GHSA-QQ9G-96V4-M3CJ Cross-Site Scripting (XSS) via Select Schema Option Value Injection in @pdfme/schemas

Summary The Select schema plugin in @pdfme/schemas constructs HTML from template-defined option values using unsanitized string interpolation and sets it via innerHTML, enabling arbitrary JavaScript execution. Details In packages/schemas/src/select/index.ts, lines 159-164, the Select schema's ui...

Cross-Site Scripting (XSS) via Select Schema Option Value Injection in @pdfme/schemas

Summary The Select schema plugin in @pdfme/schemas constructs HTML from template-defined option values using unsanitized string interpolation and sets it via innerHTML, enabling arbitrary JavaScript execution. Details In packages/schemas/src/select/index.ts, lines 159-164, the Select schema's ui...

CVE-2025-12518

CVE-2025-12518 : The beefree.io SDK is affected by a Stored XSS in the Social Media icon URL parameter used by the email builder. An attacker could inject arbitrary HTML/JavaScript into a template, which is rendered/executed when a preview page is opened. The issue is mitigated by Beefree's Conte...

CVE-2026-31938

jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of the options argument of the output function allows attackers to inject arbitrary HTML such as scripts into the browser context the created PDF is opened in. The vulnerability can be exploited in the followi...

CVE-2026-31938

jsPDF prior to 4.2.1 is vulnerable: unsanitized user input passed to the output method’s options can inject HTML/scripts into the browser context when a PDF is opened. The issue is triggered when an attacker provides values via a web interface, which are forwarded to the victim’s browser and proc...

CVE-2026-31938 jsPDF has HTML Injection in New Window paths

jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of the options argument of the output function allows attackers to inject arbitrary HTML such as scripts into the browser context the created PDF is opened in. The vulnerability can be exploited in the followi...

CVE-2026-31938 jsPDF has HTML Injection in New Window paths

jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of the options argument of the output function allows attackers to inject arbitrary HTML such as scripts into the browser context the created PDF is opened in. The vulnerability can be exploited in the followi...

CVE-2026-31938

jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of the options argument of the output function allows attackers to inject arbitrary HTML such as scripts into the browser context the created PDF is opened in. The vulnerability can be exploited in the followi...

CVE-2026-31938 jsPDF has HTML Injection in New Window paths

jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of the options argument of the output function allows attackers to inject arbitrary HTML such as scripts into the browser context the created PDF is opened in. The vulnerability can be exploited in the followi...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in jspdf.js, when user-controlled values are passed to the options argument, then included unsanitized in the generated HTML and opened by another user. An attacker can cause the execution of scripts in the...

GHSA-WFV2-PWC8-CRG5 jsPDF has HTML Injection in New Window paths

Impact User control of the options argument of the output function allows attackers to inject arbitrary HTML such as scripts into the browser context the created PDF is opened in. The affected overloads and options are: "pdfobjectnewwindow": the pdfObjectUrl option and the entire options object,...

CVE-2025-62320

HTML Injection can be carried out in Product when a web application does not properly check or clean user input before showing it on a webpage. Because of this, an attacker may insert unwanted HTML code into the page. When the browser loads the page, it may automatically interact with external...

CVE-2025-62320

CVE-2025-62320 describes an HTML Injection vulnerability affecting the HCL Unica Platform. The issue arises when a web application does not properly validate or sanitize user input before rendering it on pages, enabling an attacker to inject HTML. When a browser loads the affected page, it may au...

Stored Cross-Site Scripting (XSS)

librenms/librenms is vulnerable to Stored Cross-Site Scripting XSS. The vulnerability is due to improper sanitization of the alert rule name in the Alert Rule API, which allows an attacker to inject malicious HTML code when creating or updating alert rules via the API...

PT-2026-25977

Impact User control of the options argument of the output function allows attackers to inject arbitrary HTML such as scripts into the browser context the created PDF is opened in. The affected overloads and options are: "pdfobjectnewwindow": the pdfObjectUrl option and the entire options object,...

Admidio has an HTMLPurifier Bypass in eCard Message Allows HTML Email Injection

Summary The eCard send handler in Admidio uses the raw $POST'ecardmessage' value instead of the HTMLPurifier-sanitized $formValues'ecardmessage' when constructing the greeting card HTML. This allows an authenticated attacker to inject arbitrary HTML and JavaScript into greeting card emails sent t...

CVE-2025-57543

Cross Site scripting vulnerability XSS in NetBox 4.3.5 "comment" field on object forms. An attacker can inject arbitrary HTML, which will be rendered in the web UI when viewed by other users. This could potentially lead to user interface redress attacks or be escalated to XSS in certain contexts...

EUVD-2025-208699

Raytha CMS is vulnerable to Stored XSS via FieldValues1.Value parameter in post editing functionality. Authenticated attacker with permissions to edit posts can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. This issue was fixed in version...